March 20, 2020 —
Due to the COVID-19 National Emergency in the United States, DCSA is suspending all Enhanced Security Vulnerability Assessments (ESVAs) and onsite activities until further notice. Facilities scheduled to receive an ESVA will instead be contacted virtually by their Industrial Security Representative (ISR) who will conduct a Continuous Monitoring Engagement. Detailed information on these engagements will be provided by your ISR.
The unique challenges presented by the coronavirus pandemic, including managing unprecedented security challenges will take the collective efforts of both government and industry. Please continue to share with us your challenges and working together we will work out solutions.
Facility Clearance Inquiries (Option 3 of the DCSA Knowledge Center) will be suspended until further notice. Status inquiries can be obtained by leaving a detailed voicemail message (on the Knowledge Center voice mail) or sending a detailed email to the Facility Clearance Branch (FCB) mailbox at firstname.lastname@example.org. Please include your Facility CAGE Code and name for all status inquiries. All messages will be returned within one day.
DCSA will extend all Authorizations to Operate (ATOs) expiring before April 18, 2020 for an additional 90 days. This will allow DCSA to work with Industry to ensure operations to support the warfighter and classified programs are sustained. The following guidance from the DCSA Assessment and Authorization Process Manual (DAAPM) is also provided:
Assess and Authorize Activities (DAAPM 2.1)
Security Control Assessment (SCA) activity will continue to occur. The onsite portion of the SCA activity will be delayed, deferred, or rescheduled. Documenting evidence of security and validation requirements remain unchanged; only the execution of onsite activity will change temporarily.
Audit Variances (DAAPM 12)
During periods of system inactivity (e.g., hibernation) or when a facility plans to stop work for an extended period of time (e.g., holiday shutdowns), an audit variance may be authorized. Periods of hibernation will not exceed 180 days without Regional Authorizing Official approval. When requesting an audit variance, Industry must have a Standard Operating Procedure (SOP) in place that specifies how the system will be protected during a dormant state. The SOP will include a process for protecting the system through the use of physical security controls (e.g., seals, locks, alarms, and GSA-approved containers), technical controls (e.g., whole disk encryption, disabled accounts, and audit logs), and immediate patching/ updates upon return to service. The audit variance will be authorized via the security plan (i.e., added as a supporting artifact). Industry is required to maintain a log of audit variance activities on-site. Audit variance documentation will be assessed during the ESVA and other engagement activities (e.g., Advise & Assist visits, periodic communications, etc.).
Recognizing the unique, fast-paced circumstances, DCSA will work with our industry partners who may not have had time to completely document and submit procedures to ensure safety and security. Your local Counterintelligence Special Agent (CISA), Information Systems Security Professional (ISSP), and Industrial Security Representative (ISR) remain your first points of contact.